Exploits in Wetware

Presented at BruCON 0x0A (2018), Oct. 5, 2018, 11 a.m. (60 minutes)

Robert discusses his third place experience at the Defcon 2017 SE CTF and how his efforts clearly show how easy it is to get sensitive information from any organization. The 2017 Verizon report clearly shows the dramatic growth rate of social engineering attacks and Robert demonstrates how he collected hundreds of data points from the target organization using OSINT techniques. He then goes into the vishing strategy he implemented to maximize the points he collected in the 20 minute live contest. Without much effort Robert was able to know their VPN, OS, patch level, executive personal cell phone numbers and place of residence. Robert lifts the curtain of the social engineering world by showing tricks of the trade such as the “incorrect confirmation” which is one of many methods to loosen the tongues of his marks. Robert then shows the pretexts he designed to attack companies and the emotional response each pretext is designed to trigger. By knowing these patters we can better educate our staff. With that much information at his fingertips, how long would it take him to convince your executive to make a bank transfer? If your organization lost a few million dollars due to social engineering, who would be to blame? Are you insured for that? Who is getting fired? Robert wraps up his talk with a series of strategies companies can take to reduce exposure and risk. He goes over current exposure, building defenses, getting on the offense and finally… a culture shift.

Presenters:

• Robert Sell
  Robert is a Senior IT Manager in the aerospace industry where he spends most of his time managing InfoSec teams. While his teams focus on the traditional blue/red team exercises, lately he has spent an increasing amount of time building defenses against social engineering. Robert has spoken about the rising SE risk at numerous events and on different security podcasts. In 2017 he competed at the Social Engineering Village Capture the Flag contest at Defcon 25. He placed third in this contest and since then has been teaching organizations how to defend against SE attacks and reduce the OSINT footprint. Robert is the creator of the Trace Labs Organization which is a crowd sourced OSINT platform for locating missing persons. The organization is also creating a OSINT curriculum for first responders. Robert is also a nine year veteran with Search & Rescue in British Columbia, Canada. In his SAR capacity, Robert is a Team Leader, Trainer, Marine Rescue Technician, Swift Water Technician and Tracker. While one may think that SAR has little do to with InfoSec, tracking lost subjects in the back country has many of the same qualities as tracking individuals or organizations online with OSINT. Robert grew up on a small fishing resort where he would have new friends every two weeks (he claims this had no psychological impact but we are not sure). When he has time, he enjoys super long (all day) runs in the mountains. He does at least one ultra run (50km) trail run per year.

Links:

• https://brucon0x0a.sched.com/event/FXIa/exploits-in-wetware

Similar Presentations:

• DeepSec 2020 „The Masquerade“ / The Art Of The Breach
• BruCON 0x08 (2016) / Keynote - Robert Schou & Gene Spafford
• DEF CON 14 (2006) / Cyber-crime Foiled Once Again? Help prove the innocence or guilt of Jack Grove